HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
CVE-2023-24999 - Medium Severity Vulnerability
A tool for secrets management, encryption as a service, and privileged access management
Library home page: https://github.com/hashicorp/vault.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
Publish Date: 2023-03-10
URL: CVE-2023-24999
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-24999
Release Date: 2023-03-10
Fix Resolution: v1.10.11,v1.11.8,v1.12.4
Step up your Open Source Security Game with Mend here